MODULE 8
REPORT WRITING
Report writing is a comprehensive task that includes methodology, procedures, proper
explanation of report content and design, detailed example of testing report, and tester’s
personal experience. Once prepared, the report is shared with the senior management staff
and technical team of target organizations.
The major elements of report writing are:
Objectives − It describes the overall purpose and benefits of pen testing.
Time − Inclusion of time is very important, as it gives the accurate status of the system.
In case anything wrong happens later, this report will protect the tester, as it will
illustrate the risks and vulnerabilities in the penetration testing scope during the specific
period of time.
Target Audience − Pen testing report also needs to include target audience, such as
information security manager, information technology manager, chief information
security officer, and technical team.
Report Classification – Reports need to be classified properly as it is highly confidential
carrying server IP addresses, application information, vulnerability and threats.
However, this classification needs to be done based on the information classification
policy of the target organization.
Report Distribution – The number of copies and report distribution should be
mentioned in the scope of work. It also needs to mention that the distribution of
hardcopies can be controlled by printing a limited number of copies attached with its
number and the receiver’s name.
Report Writing Stages
Due to the comprehensive writing work involved, penetration report writing is classified into
the following stages:
Report Planning
Information Collection
Writing the First Draft
Review and Finalization
Report Planning
Report planning begins with the objectives, which help readers understand the main purposeof
the penetration testing. It describes why the testing is conducted, what are the benefits and so
on. Report planning also includes the time taken for the testing.
Information Collection
Because of the complicated and lengthy processes, pen tester is required to mention every step
to make sure that they collected all the information in all the stages of testing. Along with the
methods, they also need to mention details about the systems and tools, scanning results,
vulnerability assessments, details of the findings, etc.
Writing the First Draft
Once, the tester is ready with all tools and information, now they need to start the first draft.
Primarily, they need to write the first draft in comprehensive detail, mentioning everything i.e.
all activities, processes, and experiences.
Review and Finalization
Once the report is drafted, it has to be reviewed first by the drafter himself and then by his
seniors or colleagues who may have assisted him. While reviewing, it is expected that the
reviewer checks every detail of the report and finds any flaw that needs to be corrected.
The content of a report generally follows this format:
Executive Summary
Ø Scope of Work
Ø Project Objectives
Ø Assumptions
Ø Timeline
Ø Summary of Findings
Ø Summary of Recommendations
Methodology
Ø Planning
Ø Exploitation
Ø Reporting
Detail Findings
Ø Detailed system information
Ø Windows server information
Recommendations
General Process
1. Planning
2. Footprinting
3. Exploiting
4. Reporting
1. Planning
In this step the security researcher covers points such as:
a. Test Name.
b. Scope of work.
c. Contract or NDA.
d. Conduct.
e. Type.
f. Team details.
2. Footprinting
a. Scanning.
b. Analyzing.
3. Exploiting
a. Alert Level.
b. Detail information about Alert.
4. Reporting
a. Compiling a report and updating the system.
References:
Penetration Testing Report Writing- Tutorials Point
https://www.tutorialspoint.com/penetration_testing/penetration_testing_report_writing.htm
The Penetration Testing Report- MTR Design
https://medium.com/@mtrdesign/the-penetration-testing-report-38a0a0b25cf2